The tone of resilience followed the 11^th Annual Shared Assessments Summit to the Santa Fe, New Mexico home of Catherine A. Allen, Chairman and CEO of The Santa Fe Group. Recovering from an email hack, Cathy hosted sixty guests who enjoyed her signature Missouri ham, dined al fresco in the courtyard as the sun set, and listened to an esteemed panel of subject matter experts speak about Cyberwarfare and National Security: What Americans Need to Know.

Senator Jeff Bingaman, former US State Senator from New Mexico, reinforced the importance of cyber issues and the urgent need for Congress to understand this importance. He introduced the evening’s panelists including:

• Catherine A. Allen, The Santa Fe Group
• Mark Fidel, Co-Founder of RiskSense, Inc.
• Damon Martinez, Former U.S. Attorney and Congressional Candidate
• Valerie Plame, Former CIA Operative, Author and Cyber Expert

Damon Martinez, former U.S. Attorney and Congressional candidate, covered cyber threats to our democracy, the evolution of protection technologies, protecting voting machines and the undermining of the fundamental basics of our democracy. He spoke about the role of New Mexico National Labs, airspace and missiles and showed Russia’s development of strikingly similar technology to ours, subsequent to us developing it first, in his handout entitled “Emerging Threats: Russian Interference in U.S. Elections and the New Frontier of Cyber Security”.

Mark Fidel, Co-Founder of RiskSense, Inc. focused on vulnerabilities including threat and vulnerability management, election systems vulnerabilities, and the supply chain of digital information that serves the labs in and out of New Mexico. Citing the issues surrounding our election system, Mark described the various vendors involved with the management of the voting process and his commitment to shoring up our systems to protect our democracy and to ensuring a fair, free, and accurate election process.

Valerie Plame, former CIA operative, author, and cyber expert shared her expertise in nuclear proliferation and experience with The New War: Cyberwarfare. Valerie described the relationship between international security and cyberwarfare, our adversaries, and why we should be concerned about Iran, North Korea, China and Russia. Speaking to the gray area between war and peace, she explained the financial benefits of war to a few versus the low profit margin of fighting cyberwarfare.

Catherine A. Allen, Chairman and CEO at The Santa Fe Group and corporate board director, explained the concern of cyberwarfare and critical infrastructures as well as the impact of cyber tactics. Sitting on several boards including that of El Paso Electric Company, Cathy knows the corporate perspective on cyberwarfare. She described the impact of fake news with a visual graphic in hand and reinforced the importance of data integrity. In addition to the media biased chart, The Santa Fe Group provided handouts and multiple relevant materials to guests, including Cathy’s “Cyberwarfare and Critical Infrastructures” and the Ponemon Institute’s “Second Annual Study on The Internet of Things (IoT): A New Era of Third-Party Risk” sponsored by Shared Assessments, a program under The Santa Fe Group umbrella. Handouts quickly moved into guest’s hands as Cathy emphasized that protecting one’s personal and company assets are a must in today’s world of new warfare.

Stating there are not enough people in public policy who are aware of cyber issues and the impact associated, panelists recapped their concerns and suggestions as:

• Heighten awareness of one’s own biases – go far and wide and beyond
• Education is key
• Think
• Stay strong and informed
• Voice your concerns about cyberwarfare and the threat to our democracy and safety to your Congressmen
• Vote

The sun set. And as guests left, they left more aware of cyber threats, than when they arrived, with a tone of resilience.

Sylvie Obledo is a Project Manager with The Santa Fe Group, Shared Assessments Program. As Project Manager, Sylvie facilitates thought leadership and collaboration of leadership teams and a variety of groups including the Continuous Monitoring Working Group and Vertical Strategy Groups in industry sectors including Asset Management, Consumer Product Goods, and Insurance. Her scope of work requires creative problem solving, planning, organization, and managing multiple timelines.

Our 11^th Annual Shared Risk Assessments Summit took place on April 11-12 at the Ritz Carlton in Pentagon City, VA and brought together thought leaders throughout the risk industry. The theme of this year’s Summit was resilience, and our 300+ attendees were able to hear from subject matter experts across an array of different industries on how to stay resilient amongst an abundance of new concerns.

Opening Remarks

The day started with opening remarks from our CEO, Catherine Allen, who discussed these new concerns, namely, cyber warfare, fake news, supply chain disruptions, AI, and IoT, and how to focus on detection strategies—we live in an era of when, not if. Following her opening remarks, she introduced our keynote speaker, and first ever recipient of our new Lifetime Achievement Award, Richard Clarke.

The Importance of Cassandras in Risk

Clarke, CEO of Good Harbor LLC, explained the importance of “Cassandras” in assessing risk. AI, genetic engineering, and the IoT are all current fields where experts have data that proves we are going to have significant problems, but nothing is being done about it.

When it comes to risk management at the national and corporate level, these outlier experts are being ignored. Clarke stressed the importance of systematically looking for Cassandras and being willing to listen them, despite the risk seeming outlandish, or even laughable.

While we don’t necessarily need to believe the Cassandra, we do need to give them enough credibility to show the data. Companies may need to adjust so that when they start to see what the Cassandra is predicting, they’ll already have contingency plans in place. As risk professionals, we need to take heed of the Cassandras, start making decisions, and reallocating resources in order to do things differently and mitigate the effects of catastrophic events.

New Vulnerabilities

Following Clarkes eye-opening keynote, we began our first panel discussion entitled, “The Future is Now: Emerging Technologies and the Impact on Controls.” The panel, moderated by Joe Prochaska, Synovus Financial Corp, included Holly Dockery, Sandia National Laboratories; Catherine Lotrionte, Georgetown University; and Jeff DeCoux, Hangar Technology. The panel focused on Artificial Intelligence (AI) and Internet of Things (IoT)—one of the main takeaways was the vulnerability that these new devices open us up to, and how manufacturers need to start stepping up and start involving the entire management team when evaluating the risks and exposures of their devices. Everyone should have visibility into what their technology can do and what the risks could entail.

Frameworks to Make the Dream Work

After a brief networking break, we began our second panel discussion on “Third Party Risk Frameworks.” The panel, moderated by Roger Parsley, Deutsche Bank, included Mark Holladay, Synovus Financial Corporation; Lin Lu, Freddie Mac; and Renee Forney, Capital One; and focused on how third party risk management fits into different organizations. The panel agreed that we in a new era of risk management, so it’s crucial to increase our skills and expertise in order to fulfill our responsibilities, no matter what the size of our organization. While risk classifications have changed over time, tiering is still important and mission critical vendors are integral to our risk framework, whether we’re at a small company, financial institution, or enterprise corporation. Lin Lu, Freddie Mac, said it best when she stated, “…third party risk is no different than any other risk.” Additionally, the panel touched on how emerging technologies are impacting how we handle third party risk and the importance of scalability. Organizations need to ask themselves:

• What risks do we have?
• What risks are we willing to take?
• What risks are we not willing to take?
• How does that impact the strategic goals of our business?

Believe in Your Mission

Following the frameworks panel, we enjoyed a case study presented by Prevalent. Brenda Ferraro, Senior Director, led the discussion with customer Bob Maley, Senior Strategist at PayPal.  Maley stressed the importance of understanding your company’s mission—if you’re building a program that’s driving your mission, when the regulators and examiners come in, it’s going to be easy. He also introduced the concepts of Chen, the things that everybody knows you do, and Chi, the unexpected, and explained how they relate to risk—if we do the same things over and over, the chen and chi flip. We have to figure out unique ways of staying ahead and understanding the risk of our vendors.

Making a Vendor Naughty List

After a delicious lunch buffet, and Solutions Showcases presented by Prevalent and Security Scorecard, we returned to hear insights on third party risk and resiliency from industry thought-leader Jim Routh. Routh gave us the frightening example of “Tina and Tony,” the office manager and broker who did not go through the proper authentication processes when using Amazon Web Services. Since “Tony” did not like passwords, there was no encryption or logging, which led to a security researcher finding and publishing the data, ultimately leaving him without a business. The main takeaway from Rouths’ presentation was the need to educate our third party vendors on their configuration of cloud controls. Finally, if you don’t have a vendor naughty list, you should—vendors need to be held accountable to the same high internal standards.

Will China Overtake Us?

Perhaps even more frightening than Routh’s “Tony and Tiny” example were John M. B. O’Connor’s thoughts on supply chain risk. O’Connor, Chief  Executive Officer, J.H. Whitney Investment Management, LLC highlighted the fact that we’re stepping into an unknown domain of technological complexity and the need to pivot hard and fast to global geo-politics, or risk being overtaken by China. O’Connor even cited how Henry Kissinger spent the majority of his career making sure the US was always more important to China than Russia. We need to widen our aperture and observe more broadly in order to put ourselves at the strategic level and fight at the strategic level.

People are the Problem… And the Solution

After this frighteningly eye-opening presentation, O’Connor joined our next panel discussion, which included Jim Routh, Chief Security Officer, Aetna, and Rocco Grillo, Executive Managing Director, Stroz Friedberg, for a discussion on resiliency. They highlighted how people are our biggest strength, but also our biggest vulnerability. We have to use the innovation in technology to shrink the threat of risk and acknowledge that behaviors at every level are subject to continuous monitoring. Redundancy is expensive and useless—we need to define resilience, create a sense of community that can endure stress, and have faith in the resilience of these community members to be strong enough to let go of the superficial senses of privacy.

Maintaining Personal Resilience

Following a brief networking break where attendees were able to mingle with our exhibitors, we returned for a heart-warming discussion on personal resiliency with Ambassador (ret.) Mary Ann Peters, Chief Executive Officer, Carter Center. According to Peters, who has had a long and rewarding career where she had to quickly adapt to different cultures, the top 5 keys to personal resilience are:

1) Be flexible and adapt to change

2) Embrace ambiguity

3) Get tough, but stay charming

4) Learn from mistakes and failures

5) Focus on helping others

Get Your Regulatory Geek On

Day one concluded with a panel discussion on the regulatory landscape, moderated by Ken Mortensen, Data Protection Officer, InterSystems Corporation, with panelists Valerie Abend, Managing Director, Accenture Security; Kevin Greenfield, Director for Bank Information Technology, Office of the Comptroller of the Currency; and Adam Greene, Partner, Davis Wright Tremaine LLP. As we watched Abend get her “regulatory geek” on, we were asked to contemplate our responsibilities in terms of the broader environments. As third party risk analysts, we need to push the needle a bit more, ask ourselves where we are going to start to fix some of the problems, and ensure that we’re operating at the level we need to operate with the level of assurance that every one of our parties is going to be confident in.

Celebrating Day One

We ended the first day of the conference with a reception, sponsored by SecurityScorecard—appetizers, refreshments, and networking with other risk professionals were the perfect conclusion to day one of our 11^th Annual Shared Assessments Summit.

Stay tuned for our summary of day two!

Last week at the Shared Assessments Annual Summit on third party risk, I had the chance to co-facilitate a half-day workshop on The Pivot to Codification of Best Practices of Third Party Risk Management Best Practices, plus moderate a discussion panel on the current privacy landscape.  Not surprising that GDPR was top of mind for many of the over 300 third party risk professional attendees, but so was digital privacy a topic not often deeply discussed when addressing the tenets of third party oversight. But, as risk professionals know, timing is everything. Having a third-party risk summit in Washington D.C during testimony by Facebook Inc. CEO Mark Zuckerberg, made for lively and thought-provoking dialog by participants.

While the starting point of the dialog was on the state of GDPR readiness, the overarching themes started to emerge in a broader context.  So, let’s get the GDPR discussion out of the way, and the tipping point we experienced in our workshop and panel.

Five things on GDPR

1. GDPR enforcement is close – the grace period is ending
2. GDPR is complex due to unintended consequences
3. There are no simple guarantees to determine if your vendors are GDPR compliance
4. Following the data daisy chain is daunting to determine GDPR scope
5. It’s a cloudy legal environment – GDPR guidelines require context and interpretation

The dialog on data maps, data protection impact assessments, data transfers, breach notification, and subcontractors are familiar concepts to most Information Technology, Security, and Risk Professionals. Whether requirements are coming from GDPR, OCC, NY DFS Section 500 or SEC Cybersecurity Disclosure Guidance, the expectations for maturing third party risk oversight are maturing along common themes.

The hype on GDPR has been the fear in the C-Suite of the potential for 4% fines and the burden it will place on many organizations to address new obligations. However, GDPR constructs of Data Controller” and “Data Processor” roles are becoming a more accepted framework internationally when looked at from the data subject point of view.  Implementing data portability and the right to be forgotten are absolutely requirements focused on the rights of the data subject.  At its core, GDPR is all about privacy rights, which is beyond a compliance checklist, but speaks to the culture and ethics of organizations. Focusing on only meeting the “legal” obligation vs. what is “right” thing to do can be short sighted.

Many organizations may be missing an opportunity to treat GDPR readiness as an opportunity to affirm customer trust. Transparency and disclosure of consumer privacy rights should not be simply looked at as a compliance burden, but an opportunity to send a positive message to customers.  Don’t let the customer or data subject become the last area of focus in your readiness and GDPR program management plan.

The consumer theme became even more apparent due to the serendipity of having risk management sessions amid congressional Facebook, Inc. testimony.  The questioning on data sharing and usage disclosures requires looking at this not only from an organizational but consumer’s rights point of view. While the audience makeup was more technology savvy than other conferences I have attended, it was sadly amusing to see how little some of our D.C. legislators knew about how social media works. Data sharing platforms are designed to deliver customized content.  The purpose of the platform is about collecting and using data to sell content and provide a consumer application. Customization can’t occur without collecting and using elements of data. The concept of consent and how it is obtained I think will be the broader implication to reconciling U.S. Privacy Law and EU based models.

We are living in a mobile world that is becoming even more digitally connected, with layers of third party relationships involved in the internet ecosystem. That genie is out of the bottle to use a tired expression, but now that genie is in the cloud, and there is not any going back to the days of analog.

Five things on Digital Privacy

1. Make sure that social media/web marketing providers have contracts that outline not only their obligations but the limitations they must adhere to.
2. For marketers, educate within your organization on the differences between explicit and implicit consent. Likely your own C-Suite may not understand those differences and the limitations on data utilization.
3. Remember that customers have a short attention span and memory of what they agreed to when they signed up for a service. Don’t just inform when a change has occurred but put reminders into ongoing campaigns.
4. Privacy is personal. Just like there are different risk appetites, there are different privacy appetites. Recognize that you must think about customers from both ends of the privacy risk continuum.
5. Don’t just hide the terms in the click agreement – enable privacy preferences with easy to use options. Put the consumer or data subject first.

Our ending privacy take-away to the attendees, was to get yourself a rubber bracelet, commonly used to promote causes, but this time your cause is the consumer or data subject. That privacy bracelet, “What Would Data Subjects Want” is your litmus test to assessing requirements, changes, or interpretation for those gray areas of privacy compliance. So, wear your privacy bracelet with pride as a constant reminder as you navigate the upcoming year of change in privacy and data protection!  #WWDSW

Privacy Panel:  (Moderator) Linnea Solem, President Solem Risk Partners, LLC and Advisory Board Member and Chairperson of the Shared Assessments Program Privacy Working Group; Andrew McDevitt, Sr. Privacy Analyst, Northrop Grumman; Nathan Johnson, Sr. Privacy Manager, Eli Lilley and Company; and Lisa Berry-Tayman, Sr. Manager, Cyberscout Solutions.

Tom Garrubba, Senior Director, The Santa Fe Group, Shared Assessments Program, recently sat down with one of our partners, Aravo Solutions, as part of their expert series on third party risk management. Read what Tom has to say about the ways that collaboration can enhance your TPRM program.

Collaboration is a term that makes people either cheer or wince. However, today collaboration is essential to be a successful third party risk manager – the discipline has moved well beyond administrative box-ticking. Now, a strong culture of collaboration can help create the right environment to foster TPRM program excellence, and drive real value for organizations.

If that sounds difficult to achieve, third party risk executives need to become aware that they are not “flying this plane alone,” says Tom Garrubba, Senior Director at Shared Assessments, a member-driven consortium that creates standards around outsourcing, including assessment questionnaires. “Remember, you have a pilot, a co-pilot, a navigator, flight attendants, baggage handlers and others.” All of these stakeholders need to be involved to make TPRM work – and to make it work better.

Below are Garrubba’s six key ways that collaboration can put the right wind into the sails of a TPRM program:

• Become involved in standardization programs. Standardization is on the rise, and will become best practice for firms over the next two or three years, says Garrubba. Programs such as Shared Assessments enable organizations to benefit from a substantial body of knowledge and understanding that has been built up over more than a decade. “When creating a third party risk assessment, there is no need to reinvent the wheel,” says Garrubba. “It is very likely that other organizations have run into similar challenges, or have comparable information needs about the vendors they work with.” Working with a well-known group means that an organization can trust the information and suggestions it is receiving. “Google,” Garrubba says, “is a less reliable source of ideas about what a third party assessment should be asking about.” Being part of a group can help when it comes to new requirements, too. Garrubba worked with the Shared Assessments’ Privacy Committee to develop the Shared Assessments GDPR Data Processor Privacy Toolkit, launched in December 2017. This Tool Kit provides guidance to help organizations conform to the European Union’s (EU) General Data Protection Regulation (GDPR) Article 28. The Tool Kit outlines what companies need to do to comply with this privacy-focused element of the regulation.
• Reach out to your regulators. Around the globe, regulators are beginning to put out more guidance and rules around third party risk. “The US regulators’ Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook Appendix J and Office of the Comptroller (OCC) 2013-29 provide a very user-friendly foundation for what third party risk best practice looks like,” says Garrubba. “You don’t have to have a lawyer sitting next to you to understand it. It’s really good guidance on what organizations should be doing.” These regulatory frameworks can provide an excellent starting point for third party risk programs, he says. The EU’s GDPR is also a good framework to understand what a company should be doing around data privacy. Organizations should make sure that, first of all, their programs are complying with all of the necessary rules that may impact them from around the globe, before moving on to enhance their program further. Secondly, a third party program manager can do to enhance the organization’s regulatory relationships is to “document, document, document!” says Garrubba. This gives the regulator the ability to see – quickly and easily – just how well the third party risk program is doing, and to take all of the organization’s efforts into consideration. “You are never going to hit 100% compliance; however, you can hit conformity,” says Garrubba. “Compliance is very black and white, either you have it or you don’t, there is not a lot of grey. There are some regulators who might throw in a touch of grey – that’s more in the lines of conformity, rather than compliance.”
• Bond with your board of directors. Third party risk programs need to have board support. “Otherwise,” says Garrubba, “they can become a paper tiger. If you do not have senior-level support, you are not going to have a successful program.” All policies and processes should be agreed, at least in principle, by senior management and the board – and should be actively promoted by them. As well, senior management and the board are sometimes needed to ensure business units comply with third party programs and the changes they may require. Says Garrubba, “You want to make sure that what you are doing is something that will go across the entire enterprise.” In return, the third party risk program should be sure it is supplying the board of directors and senior management with the information it wants and needs to think constructively about third party risk.
• Have coffee with internal audit, legal, compliance… When creating an assessment questionnaire, it’s important to work with all of the key stakeholders. Says Garrubba, “It’s important that they are on board with what you are doing and that they are helping you shape your questions.” Having several pairs of eyes vet a list of questions can help make sure that the language is clear and that it will achieve the answers needed. A close relationship with internal audit can be particularly fruitful, he says – often internal auditors can provide expertise on not only drafting questions but also analysing the answers.”
• Friend your vendors. “Why do organizations contract with a third party,” asks Garrubba. “Either because it is cheaper or because they don’t have the talent and the technology to do the process themselves.” This implies that a third party has wisdom it can bring to the relationship between the two organizations. “Organizations really should be treating third parties as a component within their organization – they are a partner, treat them like a partner,” he says. “Don’t treat them like a step brother or sister you cannot really stand.” The reality is that the third party may be able to share information that can help the organization, and they in turn may be running their own third party programs that you can learn from. Says Garrubba, “I’ve spoken with companies that have said their third parties made their own company stronger. They looked at what a third party was doing and said, ‘We should be doing this too.'” He also says he’s seen organizations give third parties extra business, to grow the relationship, as a result of benefitting from this kind of collaboration.
• Know your business. Having a good working relationship with the business units is essential, says Garrubba. He says that when he was in previous roles, he used to have coffees, lunches, and dinners with a wide range of internal stakeholders to find out what their upcoming projects were, and better understand the company’s overall business strategy and ability to execute. For example, these conversations often helped ensure that new business opportunities were analysed correctly, keeping in mind the company’s own operations and outsourcing needs for fulfilment. Sometimes, best practices from one business unit could be shared with others. Or a casual conversation can help both the business unit and third party risk feel comfortable that things are just “on track.” Having less formal give-and-take can make it easier to resolve challenges, when they occur, too.

In short, third party risk managers need to be sure they are actively collaborating across the business – and outside the business – to be successful today. Many firms are choosing to support this with a software solution, which can make collaboration easier – by providing a “single source of truth” for data, and a platform through which some key conversations, particularly around specific processes, can take place. Creating the right third party risk environment will enable the correct culture to take root and flourish.

Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. His is an internationally recognized subject matter expert and top-rated speaker on third party risk.

Shared Assessments is excited to announce the release of the updated 2018 Shared Assessments Program Tools, which serve organizations for risk management, regardless of size and industry. The Tools help both outsourcers and providers to meet regulatory, consumer and business scrutiny within the constantly evolving landscape of cyber and other security threats and vulnerabilities.

The Program Tools are an important component of the Shared Assessments Third Party Risk Management Framework, which helps organizations manage the full lifecycle of a third party relationship, from planning for third party engagement, to due diligence and vendor selection, contract negotiations, ongoing and continuous monitoring and termination. The Tools embody a “Trust, but Verify” approach for conducting third party risk management assessments and use a substantiation-based, standardized, efficient methodology.

The Shared Assessments Program Tools are:

• 2018 Standardized Information Gathering (SIG) questionnaire for remote assessment;
• 2018 Shared Assessment Standardized Control Assessment (SCA) procedures for performing onsite assessments;
• 2018 Vendor Risk Management Maturity Model (VRMMM) for evaluating programs against a comprehensive set of best practices; and
• The new EU General Data Protection Regulation (GDPR) Tool Kit

Creating Sustainable Standardization in Today’s High Risk, Cyber-Based Environment
Continuous quality improvement evaluation of the Program Tools and our other third party risk management resources is conducted to ensure that:

• Content updates are in line with modifications in domestic and international regulations, changes in industry standards and guidelines, and the emergence of new risks.
• Program Tools remain relevant in response to the growing and shifting nature of cyber security threats and vulnerabilities.
• A standardized process and tools are available that employ a clear, consistent methodology for third party service provider management strategy and risk control verification assessments to reduce duplication of effort for outsourcers and providers.

Updated 2018 Program Tools
These updated Tools respond to the many cybersecurity and other third party risk management issues that are at the forefront of everyone’s concerns.

The 2018 Standardized Information Gathering (SIG) Questionnaire

• The SIG employs a holistic set of industry best practices for gathering and assessing information technology, cybersecurity, privacy and data security risks and their corresponding controls. It serves as the “trust” component for outsourcers who wish to obtain succinct, scoped initial assessment information regarding a service provider’s controls. The SIG can also be used proactively by providers, to reduce initial assessment duplication and assessment fatigue.

Enhancements to the 2018 SIG include:

• SIG Scoping: In response to user feedback, the most significant change you will notice is the addition of a new Scoping Tab, which allows for multiple ways to customize the SIG questions for a company’s individual needs. This tab will be the first stop in starting a new SIG. From this tab, the LITE, CORE, or FULL SIG will be available. The CORE SIG is a new designation and will be used for assessing service providers that run business critical functions, data, and systems. It is meant to meet the needs of most assessments.

• Industry References: Updates for 2018 that reflect industry and regulatory standards included:
• New York State, Department of Financial Services (NYSDFS) 23 NYCRR 500.
• European Union (EU) General Data Protection Regulation (GDPR) 2016/679.
• Content Organization and Updates:
• Tab K. Business Resiliency was updated for current threat environment and recovery planning best practices.
• Tab P. Privacy was updated to reflect current privacy rules, GDPR & domestic rule updates.
• Tab U. System Hardening Standards was updated to reflect new industry best practices.
• Tab V. Cloud Hosting was created to organize cloud security questions into its own separate tab and updated to reflect new industry standards and best practices.
• The total number of questions has been decreased by removing duplication and redundancy.

The 2018 Shared Assessments Standardized Control Assessment (SCA) Procedures – Formerly the Agreed Upon Procedures (AUP)

To better communicate the function of the tool and its alignment with the SIG questionnaire, the Agreed Upon Procedures (AUP) has been renamed the Standardized Control Assessment (SCA) procedures. This name change will also help eliminate any confusion with the formal definition of AUP within the AICPA practice standards, allowing for expansion of general attestation engagements to their client base using the SCA Tool and SCA Report Template.

Enhancements to the 2018 SCA include:

Content Re-Organization and Updates:

• The SCA, and its companion SCA Report Template, have been re-organized to align more closely with the SIG. The updated tool can be utilized for onsite or virtual assessments. All changes to content, including reorganization of section information, contain language that is in alignment with AICPA AT § 201.03: Agreed-Upon Procedures Engagements standards.((AT § 201.03: Agreed-Upon Procedures Engagements. American Institute of Certified Public Accountants (AICPA). June 1, 2001. Statement on Standards for Attestation Agreements (SSAE) No. 10. SSAE No. 11. AICPA. 2015; and as adopted by the Public Company Accounting Oversight Board (PCAOB), April 2003.))
• Section A. Risk Assessment and Treatment procedures have been added for brevity and clarity.
• Section I. Application Security subsections were added to more closely align with the SIG.
• Section K. Business Resiliency was updated for current threat environment and recovery planning best practices.
• Section P. Privacy was updated for current privacy rules, GDPR & domestic regulatory updates.
• Section U. System Hardening Standards were updated to reflect new industry best practices.
• Section V. Cloud Hosting has been added to align with the new SIG tab and to reflect the changing landscape of hosting options and vulnerabilities.
• SIG Alignment: The SCA has been thoroughly reviewed and updated to align more closely with the SIG, using matching terminology and making it simpler to follow the “trust, but verify” model of third party risk management.

Industry References: Updates reflect industry standards and regulatory including:

• New York State, Department of Financial Services (NYSDFS) 23 NYCRR 500.
• European Union (EU) General Data Protection Regulation (GDPR) 2016/679.
• Open Web Application Security Project (OWASP) Top Ten 2017 Vulnerabilities RC2 Project.

The 2018 Vendor Risk Management Maturity Model (VRMMM)

• Greater adoption of the VRMMM will improve third party risk management overall by assisting industry members in assessing and benchmarking the maturity of their own third party risk management programs. The VRMMM also allows for better benchmarking within and across industries in the annual benchmarking study.
• Access to this benchmarking tool is especially important to organizations new to third party risk and is aligned to the goal of Shared Assessments to advance the art of third party risk management.
• To download the Shared Assessments’ Free VRMMM, go to: www.sharedassessments.org/vrmmm.

GDPR Data Processor Privacy Tool Kit:
This new tool provides guidance for Data Processors who fall under compliance to the of the European Union’s (“EU”) General Data Protection Regulation (“GDPR”) 2016/679, stringent new requirements, which go into effect on May 25, 2018. To meet this deadline, organizations are being challenged with the very sizeable task of not only “re-papering” or modifying their vendor arrangements, but also of applying increased vigor in IT and privacy risk assessments to ensure that customer data is being processed according to the controller/processor contractual arrangements, in keeping with the regulation. Direct compliance liability for data protection provisions will now extend to the data processors or vendors.

The Tool Kit is Free: The bundle provides a narrative introduction and a series of mini-tools to help determine how to meet the new requirements that will be imposed on how Controllers (i.e., outsourcers) may appoint and monitor Data Processors (i.e., third party vendors).

Some of the insights provided by this Tool Kit – for both Controllers and Processors:

• Questions to ask your vendors regarding the secure and private handling of your affected customer data.
• Test steps to ensure controls are in effect and are operating as intended.
• A scoping checklist designed to help manage or structure the contract provision tool set needed for compliance.
• Identifying artifacts to support customer data controls and other privacy program efforts.

Members of the Shared Assessments Program can access the tools in the Member section of the website by clicking here. If you are interested in purchasing the Program Tools please contact info@sharedassessments.org.

About the Shared Assessments Program
The Shared Assessments Program is the trusted leader in third party risk management, with resources to effectively manage the critical components of the third party risk management lifecycle. These resources are creating efficiencies and lowering costs for all participants; kept current with regulations, industry standards and guidelines and the current threat environment; and adopted globally across a broad range of industries both by service providers and their customers. Shared Assessments membership and use of Shared Assessments third party risk management resources, including Program Tools, offers companies and their service providers a standardized, more efficient and less costly means of conducting rigorous assessments of controls for cybersecurity, IT, privacy, data security and business resiliency. The Shared Assessments Program (https://sharedassessments.org) is managed by The Santa Fe Group (www.santa-fe-group.com), a strategic advisory company based in Santa Fe, New Mexico.

By Linnea Solem, Chair, Shared Assessments Privacy Committee

On January 28th, organizations worldwide celebrate Data Privacy Day. The goal is to create awareness about the importance of respecting privacy, safeguarding data and enabling trust. Each year organizations take this opportunity to spotlight key risk topics for privacy in the coming year. In reviewing 2017 and the potential challenges for data protection in 2018, a common thread in the media landscape is the risks that third parties bring to the table for organizations who need to protect customer data. The web site for Data Privacy Day, www.staysafeonline.org provides a suite of infographics and tools as to why privacy is important for consumers, businesses, organizations, schools, and non-profits. 75 percent of Americans feel it is “extremely” or “very” important that companies have “easy-to-understand, accessible information about what personal data is collected about them, how it is used and with whom it is shared.

Personally Identifiable Information (PII) Remains Top Information Risk
The International Association of Privacy Professionals (IAPP) conducted its second annual study of the disclosure statements of 150 publicly traded companies that shows 100% of these companies identified cyber attacks in their most recent 10-K reports as current and ongoing risks, up from 86% from the prior year. The loss of customer or employee PII remains at the top of the disclosed information-related risks at 87% with reputation harm the greatest potential consequence at 95%. After the risk of a cyber-attack, the #2 risk concern at 69% for surveyed companies was information loss or misuse by business partners or other third parties. That was a jump of 22% over the first report, which emphasizes the criticality of third party oversight and third party risk management. While most organizations indicated that changes in privacy laws and legal standards is a risk, only 10% specifically mentioned the upcoming enforcement of the EU General Data Protection Regulation (GDPR).

Third Party Risk Management a Key Priority in 2018
Changes in data protection regulations and legal standards are top of mind for many organizations in 2018 with the upcoming enforcement milestones of everything from New York State’s Cyber Security regulation to GDPR. In a recent study, the True Cost of Compliance with Data Protection Regulations, by the Ponemon Institute and Globalscape, 90% of respondents viewed GDPR compliance as the most difficult to achieve, surpassing even PCI DSS standards. GDPR. The impact of GDPR is not simply that the regulation extends liability directly to the service providers, but has an enforcement mechanism of fines up to $23.6 million or 4% of the total worldwide annual turnover of the company, whatever is higher. It is not surprising then that 92% of US multinationals surveyed by PwC named GDPR as a top priority, and 77% plan to spend $1 million or more on compliance.

GDPR compliance readiness is challenging to measure since many organizations may not be fully aware that they have triggered heightened compliance obligations. GDPR compliance can be triggered by any organization that stores or processes personal information about European Union citizens, regardless of their location or geographic boundaries. Compliance requirements are specific for data controllers and data processors. Access to personal data is considered a transfer of data from a GDPR viewpoint, triggering the need for strong understandings of data flows, data inventories, and cross border interactions. The concept of knowing where your data is, becomes an even more crucial part of compliance when looking at the third-party ecosystem. Being ready to conform to GDPR will require organizations to implement or expand third party vendor management programs to include third party assurance approaches that require additional due diligence to meet these new requirements.

To help meet this need, the Shared Assessments Program’s Privacy Committee – a leading group of
third party risk management privacy professionals across a variety of industries, has designed a
GDPR Data Processor Privacy Tool Kit to provide preliminary guidance to effectively evaluate and
manage third party risk for “Data Processors” under the GDPR. This GDPR Data Processor Privacy Tool Kit contains tools, checklists and templates that highlight a broad range of privacy-relevant requirements for third party relationships, and identify potential artifacts for review as evidence of conformance with GDPR requirements. The GDPR Data Processor Privacy Tool Kit is designed as a flexible set of tools and templates that any organization can incorporate into their third party risk management structures and processes.

So on this Data Privacy Day, access tools to Be Safe Online, and start to plan for GDPR readiness!

#PrivacyAware and #SAGDPRToolkit

By Tom Garrubba, Senior Director, The Santa Fe Group, Shared Assessments Program

I’m often asked during the holiday season to reflect on the year’s setting sun of cyber threats and make predictions on the upcoming year’s threat horizon. Though I’m certainly not Carnac the Magnificent (one of the late Johnny Carson’s most memorable Tonight Show skits) however, kindly allow me to put on my big purple turban, hold an envelope to my head and mutter my three predictions…

“Going Mobile…Big Money…Third and Four.”

(Now let’s open the envelope, blow into it, and extract the answer…)
“Going Mobile” – No, this has nothing to do with the classic up-tempo song from The Who. It is a reference to data breaches through mobile devices. Through encounters with numerous cybersecurity professionals over the past year, I see that there appears to be quite consensus that a breach stemming from mobile devices lies on the horizon. This is understandable, as many organizations (particularly small and mid-sized organizations) continue to grapple with the challenges of securing not only the various mobile operating systems that they’re supporting, but for identifying the applications on these devices that may pose a threat to unauthorized data exposure. As “bring your own device” (BYOD) is increasingly adopted by organizations, it’s prudent to revisit your policies, procedures, practices, and standards to ensure that controls are present that are capable of tackling current, known threats and investigate ways to deal with mobile threats on the horizon.

“Big Money” – I’m predicting big payouts this year, from companies to regulatory agencies, from companies to other companies, and/or from companies to customers (via class-action lawsuits). US regulators, and even the New York Department of Financial Services (NYDFS), have made it clear that organizations must employ – and provide evidence – that a sound security and privacy posture exists ata their organization. Additionally, as the European General Data Protection Regulation (GDPR) goes into full affect this coming May, there’s much chatter in the privacy profession that companies out of compliance with GDPR will be hit hard financially (up to 4% of total turnover) as European data protection authorities (DPA’s) make efforts to show that any organization in possession of European customer data must take this regulation very seriously. The GDPR is no paper tiger – it certainly does have teeth – BIG teeth. Lastly, lawsuits between companies and even class-action lawsuits will result in hefty legal expenses and payouts to affected parties due to poor security or privacy posture. It’s additionally important to note that cybersecurity insurance normally does not cover a legal action brought against your organization.

“Third and Four” – Since we’re heading into NFL post season play, this may sound like “third down with four yards to go;” but since we’re talking cybersecurity, I am referencing third and fourth parties. Hackers are cognizant that most organizations outsource sensitive functions and data. Hackers will identify their targets and begin to scope the companies they’ve most likely contracted to (those that perform or handle certain key functions) and will then position those vendors for attack. Hackers will hunt for “back doors” and exploit any vulnerabilities to access their target’s network, so they can locate, browse, steal, poison (destroy or deploy malware), or highjack (via ransomware) the data on which they’ve set their sights. To prevent this, organizations need to be diligent in performing risk control assessments on their third parties and, where possible, their fourth parties as well. (Note that this effort may require assistance from the third party to examine fourth parties). It’s also extremely wise (and if you’re in a regulated environment, this part is practically mandatory) to participate in cyber and business resilience activities with your “critical” third and fourth parties.
So, now that I’ve made these predictions, I’m curious to see how long I’ll have to wait to see these come true. While I certainly hope none of these predictions come to fruition, given the current state of world we live in, I’m simply being a realist.

Have a safe and secure new year!

Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. A nationally recognized subject matter expert and top-rated speaker on third party risk. Connect with Tom on LinkedIn